Collaborative web-based airplane level failure effects analysis tool

ABSTRACT

Embodiments of methods, apparatuses, and articles for receiving system malfunction effects data including at least one malfunction and a plurality of direct and indirect effects associated with each of the at least one malfunction and storing the received system malfunction effects data, are described herein. The embodiments may also facilitate a user in viewing and/or modifying the system malfunction effects data, and the viewing includes presenting the data in a relational fashion, with each malfunction linked to one or more direct effects, and each direct effect linked to one or more indirect effects.

FIELD OF THE INVENTION

The present invention relates to the field of data processing, inparticular, to methods and apparatuses for receiving and storing systemmalfunction effects data, and for facilitating a user in viewing and/ormodifying the data.

BACKGROUND OF THE INVENTION

Advances in airplane design have led to the development of numerousmutually dependent systems. Failures or malfunctions of one or more ofthese systems often affect other systems, directly or indirectly.Additionally, analysis of these failures/malfunctions and their directand indirect effects is often required as part of a certificationprocess. Typically such analyses are manually performed by groups ofsystem analysts, without reference to a system or process capable offacilitating such analyses.

Additionally, advances in networks and computer systems haveincreasingly facilitated computer system users in collaborating withother users in the creation and modification of a shared block of data.Examples abound, including online “bulletin boards,” which allowmultiple users in different locations connected by the Internet or someother network to collaborate in creating and modifying data of the“bulletin board.”

While recent advances have allowed groups of system analysts tocollaborate through a tool similar to an online bulletin board, nosystem or process has presented the malfunction and failure effects datain a relational fashion, for example, with each malfunction/failurelinked to one or more direct effects, and each direct effect linked toone or more indirect effects, facilitating users in definingmalfunctions/failures and direct and indirect effects, and in viewingand/or modifying the malfunctions/failures and effects.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be described by way of exemplary embodiments,but not limitations, illustrated in the accompanying drawings in whichlike references denote similar elements, and in which:

FIG. 1 illustrates an overview of the present invention, in accordancewith various embodiments;

FIG. 2 illustrates a flowchart view of selected operations of thepresent invention, in accordance with various embodiments;

FIG. 3 illustrates a collaborative, roles-based aspect of the presentinvention, in accordance with various embodiments;

FIG. 4 illustrates an exemplary relational database schema of thepresent invention, including a plurality of malfunction and effectstables, in accordance with various embodiments; and

FIG. 5 illustrates an example computing device suitable for use topractice the present invention, in accordance with various embodiments.

SUMMARY

Illustrative embodiments of the present invention include, but are notlimited to, methods and apparatuses for receiving system malfunctioneffects data including at least one malfunction and a plurality ofdirect and indirect effects associated with each of the at least onemalfunction, and storing the received system malfunction effects data.The illustrative embodiments may also facilitate a user in viewingand/or modifying the system malfunction effects data, and the viewingincludes presenting the data in a relational fashion, with eachmalfunction linked to one or more direct effects, and each direct effectlinked to one or more indirect effects. The features, functions, andadvantages of the illustrative embodiments can be achieved independentlyin various embodiments of the present invention or may be combined inyet other embodiments.

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

Various aspects of illustrative embodiments of the present inventionwill be described using terms commonly employed by those skilled in theart to convey the substance of their work to others skilled in the art.However, it will be apparent to those skilled in the art that alternateembodiments may be practiced with only some of the described aspects.For purposes of explanation, specific numbers, materials, andconfigurations are set forth in order to provide a thoroughunderstanding of the illustrative embodiments. However, it will beapparent to one skilled in the art that alternate embodiments may bepracticed without the specific details. In other instances, well-knownfeatures are omitted or simplified in order not to obscure theillustrative embodiments.

Further, various operations will be described as multiple discreteoperations, in turn, in a manner that is most helpful in understandingthe illustrative embodiments; however, the order of description shouldnot be construed as to imply that these operations are necessarily orderdependent. In particular, these operations need not be performed in theorder of presentation.

The phrase “in one embodiment” is used repeatedly. The phrase generallydoes not refer to the same embodiment; however, it may. The terms“comprising,” “having,” and “including” are synonymous, unless thecontext dictates otherwise. The phrase “A/B” means “A or B”. The phrase“A and/or B” means “(A), (B), or (A and B)”. The phrase “at least one ofA, B and C” means “(A), (B), (C), (A and B), (A and C), (B and C) or (A,B and C)”. The phrase “(A) B” means “(B) or (A B)”, that is, A isoptional.

FIG. 1 illustrates an overview of the present invention, in accordancewith various embodiments. As illustrated, for the embodiments, a client102 may be connected to a server 106. The server 106 may receivemalfunction and failure cases 110, and direct and indirect effects112/114 of such cases from the client 102, and in some embodiments, mayreceive malfunctions/failures 110 and effects 112/114 automatically froman affected system 104, and may determine the relationships between themalfunctions/failures 110 and effect 112/114 received from the systemsby reference to a system design database 118. A collaborative tool 107of server 106 may then store the received system malfunction effectsdata (content 108) in a database, such as database 116. The tool 107 mayalso facilitate a user of client 102 in viewing and/or modifying thecontent 108, and may present the malfunctions 110 and effects 112/114 toa user through client 102 in a relational fashion, with each malfunction110 linked to one or more direct effects 112, and each direct effect 112linked to one or more indirect effects 114.

In various embodiments, client 102 may be a computer system having a webbrowser, such as Internet Explorer, Netscape, or Mozilla. The client mayfacilitate a user in interacting with a web application provided by aremote server, such as the collaborative tool 107 of server 106. Inalternate embodiments, the client 102 may include a web-applicationspecific agent, only facilitating a user in interacting withcollaborative tool 107. In either case, the generic browser or webapplication specific agent may be a process of a computer system. In yetother embodiments, client 102 may be a system simulation program of thecomputer system capable of interacting with collaborative tool 107. Thecomputer system may be of any sort known in the art, such as a PC, aworkstation, a server, a PDA, or a mobile device. The computer system ofclient 102 may be connected to server 106 via a networking fabric (notshown). The networking fabric may include local and/or wide areanetworking, wired and/or wireless, and may utilize any communicationprotocol known in the art, such as TCP/IP or ATM.

As shown, system 104 may be any sort of electrical and/or mechanicalsystem, such as an airplane, or systems/subsystems disposed thereon,that may malfunction or be affected by a malfunction 110. In someembodiments, a system 104 may be equipped with a sensor or embeddedsystem capable of automatically transmitting a signal to server 106indicating a malfunction 110.

In some embodiments, server 106 may be any sort of computer system knownin the art equipped with an embodiment of collaborative tool 107 of thepresent invention. An exemplary computer system capable of performingthe operations of server 106 is illustrated by FIG. 5.

Server 106 may also be connected via a networking fabric (not shown) toa database server (not shown) storing database 116 and to the same oranother database server storing system design database 118. Such anetworking fabric may be of any sort known in the art, such as thenetworks mentioned above, and may be the same networking fabric as thenetworking fabric mentioned above. The database server(s) may also beany sort of computer system known in the art, such as the computersystems mentioned above. In other embodiments, database 116 and/orsystem design database 118 may be stored locally on server 106, removingthe need for database server(s).

The database 116 may, in various embodiments, be a relational databasecomprised of a plurality of tables capable of storing malfunctions 110and effects 112/114 in a relational fashion. Such relational databasesare well known in the art. In yet other embodiments, server 106 may notbe connected to or have a database 116, but may instead storemalfunctions 110, effects 112/114, and their relationships in a file.

In some embodiments, system design database 118 may also be a relationaldatabase comprised of a plurality of tables capable of storing airplanedesign schematics. In yet other embodiments, server 106 may not beconnected to or have a system design database 118, but may instead storeairplane design schematics in a file.

In one embodiment, client 102, server 106, database 116, and systemdesign database 118 may all reside on the same computer system, forexample, in a plurality of virtual machines of the computer system.

As is shown, server 106 may receive malfunction and failure cases 110from users of clients 102. The malfunctions 110 defined and entered byusers of clients 102 may be, in some embodiments, any sort of airplanelevel system failure or malfunction. For example, users may enter themalfunction 110 of an airplane electrical bus or an airplanenavigational system. In various embodiments, each of the enteredmalfunctions 110 may affect one or more other systems of the airplane.Further, users may also enter a probability and a hazard level for eachmalfunction 110, the probability indicating the chance of themalfunction 110 occurring in flight, and the hazard level indicating theeffect of the malfunction 110 on airplane occupants and operations. Theusers tasked with entering and defining malfunction cases 110,probabilities, and hazard levels may be organized into design groups ofairplane integration, safety, system analysts, and regulatoryauthorities. In one embodiment, each group may focus on a particularsystem or set of systems which fall within the expertise of members ofthe groups. In other embodiments, a single user may enter and definesome or all of the malfunctions 110 via the client 102. Server 106 mayreceive the defined malfunctions 110 in a batch, at predetermined updatetimes, or in real time as the malfunctions 110 are defined and enteredby users into client 102.

In various embodiments, the users of clients 102 may be assignedpermission levels, and only users of a certain permission level mayenter malfunction cases 110. The collaborative tool 107, or a separateprocess of server 106, may determine if a user of client 102 has loggedon with an appropriate permission level before accepting the malfunctioncases 110 from client 102. In some embodiments, where the tool 107 is aweb application and the client 102 includes a web browser, the tool 107may first provide client 102 with a login/authentication web page, ofthe sort often used in the art, and may provide the client 102 with aweb page allowing the entry of malfunction cases 110 only when the tool107 has ascertained that the user of client 102 has the properpermission level.

In some embodiments, any scheme of permission levels known in the artmay be used. For example, the tool 107 may define roles of“ReadOnlyUser,” “ReadWriteUser,” “SystemFocal,” and “Admin.” A“ReadOnlyUser” may only view the malfunctions 110, effects 112/114, andtheir relationships, but may not enter or modify them. A “ReadWriteUser”has the privileges of a “ReadOnlyUser” and may also enter direct effects112 and indirect effects 114 of certain malfunctions 110, and may alsoenter associated flight deck messages and compensatory flight crew/pilotactions that may be taken in the event the malfunction occurs. The usermay then only modify and/or delete the data that he or she has entered.A “SystemFocal” user has the privileges of a “ReadWriteUser,” and mayalso enter, update, and delete malfunction cases 110 for one or moresystems. An “Admin” user may have complete permissions to view, enter,update, and delete malfunctions 110, effects 112/114, and associateddata.

In alternate embodiments, malfunction cases 110 may be received directlyby the server 106 from the malfunctioning system 104. The system 104 maybe equipped with a sensor or embedded system capable of transmitting asignal in the event of a system 104 malfunctions or fails. Upon sensinga malfunction 110, the sensor or embedded system may immediately alertthe server 106, in real time. The signal sent may be of any sort knownin the art, such as a radio frequency (RF) signal or a light signal.Such sensors, embedded devices, and signals are well known in the art,and need not be described further.

As illustrated, server 106 may also receive direct effects 112 andindirect effects 114 of malfunction cases 110 from clients 102, enteredby users of clients 102. A direct effect 112 may be any primary effectresulting directly from a system malfunction 110. An indirect effect 114may be any secondary, tertiary, and so on, effect resulting indirectlyfrom a system malfunction 110 and directly from a direct effect 112 orfrom another indirect effect 114. Thus, users may enter effects 112/114and their propagation, indicating for each entered effect 112/114 whichmalfunction 110, direct effect 112, or indirect effect 114 the newlyentered effect 112/114 may result from. For example, the electric busmalfunction 110 mentioned above may have a number of direct effects 112,such as hydraulic effects, navigational effects, and avionics effects.The hydraulic effect may be associated with an indirect effect 114, suchas a flight control effect, and the indirect flight control effect 114may be associated with a further indirect effect 114, such as an airframe vibration effect. In some embodiments, an effect 112/114 may beassociated with a combination of malfunction cases 110, other effects112/114, or combinations of both, only occurring when the combinationoccurs. Thus, for example, a certain direct effect 112 may occur onlywhen two malfunctions 110 occur, or a certain indirect effect 114 mayoccur only when two direct effects 112 and/or indirect effects 114occur. Further, in various embodiments, when a direct effect 112 hasbeen entered for one malfunction 110, and is then entered again for asecond malfunction 110, the tool 107 may map the indirect effect(s) 114associated with that direct affect 112 to the second entry of the directeffect 112, removing the need to reenter the same data.

In some embodiments, the effects 112/114 are entered by the same groupsof users that have entered the malfunction cases 110. In otherembodiments, the effects 112/114 are entered by additional teams ofsystem analysts. As mentioned above, only users with a certainpermission level may enter the various effects 112/114. For example,tool 107 may require that a user be a “ReadWriteUser,” a “SystemFocal”user, or an “Admin” user to enter effects 112/114 of malfunctions 110.In some embodiments, the malfunctions 110, direct effects 112, andindirect effects 114 are entered in iterative cycles, with the tool 107notifying users through clients 102 or through email when a newmalfunction 110 or effect 112/114 has been entered, necessitating theusers' review and the entry of additional levels of direct effects 112and indirect effects 114. Further, in addition to entering directeffects 112 and indirect effects 114, users may also enter flight deckmessages and compensatory pilot/flight crew actions associated with amalfunction case 110, and occurrence probabilities and hazard levels foreach effect, similar to the probabilities and hazard levels describedabove in reference to malfunction cases.

In an alternate embodiment, the server 106 may receive signalsindicating malfunctions 110 from system 104, rather than or in additionto receiving malfunction cases 110 and effects 112/114 entered by users.The systems 104 experiencing a malfunction 110 or an effect 112/114 of amalfunction 110 (manifesting itself as a secondary or tertiarymalfunction) may alert server 106 of the malfunctions 110 in the mannerdescribed above. The tool 107 of server 106 may then deduce whichreceived signals indicate malfunctions 110, which indicate directeffects 112, and which indicate indirect effects 114 either from thetime of signal arrival or from a pre-determined airplane schematicindicating system relationships. Such a schematic may be stored in theabove described system design database 118. In one embodiment, theclient 102 may use collaborative tool 107 to view the malfunction 110and effects 112/114 received from the systems and may use the airplaneschematic to determine effects relationships. Each system 104 may have aunique signal, thus allowing the tool 107 to determine the system 104experiencing the malfunction 110 or effect 112/114.

Referring again to FIG. 1, the collaborative tool 107 of server 106 maystore the received malfunction cases 110, effects 112/114, and otheradditional information (comprising system malfunction effects data) in adatabase 116, in some embodiments. Database 116 may be any sort ofdatabase known in the art, including a relational database possessing aplurality of tables connected by data relationships. Each malfunction110 and effect 112/114 may be stored in a table, with the relationshipsbetween the tables corresponding to the relationships between themalfunctions 110, direct effects 112, and indirect effects 114. Flightdeck messages and compensatory actions of the kind described above maybe stored in their own tables or may be stored as fields of malfunctionor effect tables for the malfunction 110 or effect 112/114 to which themessages and actions are related. Additionally, the above tables mayinclude fields for probabilities and hazard levels. In alternateembodiments, tool 107 may store the system malfunction effects data 108in structures of a file rather than in database 116.

As shown, once collaborative tool 107 of server 106 has received andstored the system malfunction effects data 108, the tool 107 mayfacilitate users in viewing and/or modifying the data 108 throughclients 102. A user requesting to view one or more malfunctions 110 andtheir direct effects 112 and indirect effects 114, may have the content108 comprising the requested malfunctions 110 and effects 112/114presented in a relational fashion, illustrating the associations betweeneach malfunction 110 and its one or more direct effects 112, betweeneach direct effect 112 and its possible one or more indirect effects114, and in some embodiments, between each indirect effect 114 and itsfurther one or more indirect effects 114. The content 108 may bepresented in a graphic tree structure on a web page created by tool 107,and the web page illustrating content 108 may be sent to client 102, anddisplayed on the client 102 to the user. Thus, the user may view agraphic web page displaying malfunctions 110 and their associatedeffects 112/114, with the effect propagation illustrated by a treestructure or some similar graphic representation. In other embodiments,displayed content 108 may also include flight deck messages andcompensatory actions, and may include the messages and actions as partof the web page graphic display generated by tool 107. In yet otherembodiments, the web page provided to client 102 may be and interactiveweb page, facilitating a user in viewing probabilities and hazard levelsassociated with a malfunction 110 or effect 112/114 by returning anadditional web page displaying such content in response to a user clickon a malfunction 110 or effect 112/114 on the interactive webpagecreated by tool 107. In addition to the above described design groups,pilots and other airline personnel may also view the system malfunctioneffects data 108. Such users might be assigned a permission level of“ReadOnlyUser.”

In various embodiments, the web page generated by tool 107 may alsofacilitate a user in modifying malfunctions 110, effects 112/114, orassociated data. The ability of a user to modify or delete any portionof the data 108 may be controlled by a permission level of the user, asdiscussed above, with some users only able to edit or delete effects112/114 of a certain malfunction 110, some users able to do that, and inaddition edit and delete certain malfunctions 110, and some users ableto edit and delete any portion of the system malfunction effects data108. Such modifications may be achieved by providing users withinteractive web page elements for those elements the user is able tomodify. For example, a web page for a certain user might haveinteractive effect 112/114 boxes displayed as part of the web page. Theuser might either be able to change information displayed in the boxesor delete the boxes. Such interactivity may be achieved by client and/orserver side scripting. This sort of scripting is well known in the art,and need not be described further. Additionally, if a user deletes aneffect 112/114, any indirect effects 114 associated only with thateffect 112/114 may also be automatically deleted. The user'smanipulations of the displayed data may be communicated back to server106 by client 102, and stored by tool 107.

Further, in some embodiments, collaborative tool 107 may recommenddesign changes to an airplane design. Design change recommendationsmight be triggered by the result of a hazard level or levels of one ormore malfunctions 110 and/or effects 112/114 multiplied by theprobabilities of the malfunctions/effects 110/112/114 exceeding acertain threshold. For example, hazard levels might be numericallyrepresented, with a “one” indicating the lowest hazard level and a“five” indicating the highest. A threshold metric triggering a designchange recommendation might be “three.” Thus, any malfunction 110 oreffect 112/114 having a hazard level of “five” and a probability ofsixty percent or more would trigger a design change recommendation. Adesign change recommendation might be triggered by a more complexformula as well, such as one measuring the number of levels of indirecteffects 114 and/or considering the probabilities of occurrence of theeffects 112/114 in the case of a malfunction 110. Such a recommendationmight result in a “halt” message being sent to personnel and/or systemsresponsible for an airplane system supply chain. Alert emails notifyingusers of the design change recommendation may also be sent to the designgroup or groups associated with the malfunction(s) 110 and/or effect(s)112/114 triggering the recommendation.

In some embodiments, the collaborative tool 107 of server 106 may alsogenerate reports capable of use in an airplane design certificationprocess. Tool 107 may provide a web page to a user of a client 102 thatallows a client to select among and/or enter a number of parameters tocustomize the report generated by the tool 107.

FIG. 2 illustrates a flowchart view of selected operations of thepresent invention, in accordance with various embodiments. As is shown,a server may receive malfunction and failure cases from users ofclients, block 202. The malfunctions defined and entered by users ofclients may be, in some embodiments, any sort of airplane level systemfailure or malfunction. For example, users may enter the malfunction ofan airplane electrical bus or an airplane navigational system. Invarious embodiments, each of the entered malfunctions may affect one ormore other systems of the airplane. Further, users may also enter aprobability and a hazard level for each malfunction, the probabilityindicating the chance of the malfunction occurring in flight, and thehazard level indicating the effect of the malfunction on airplaneoccupants and operations. The users tasked with entering and definingmalfunction cases, probabilities, and hazard levels may be organizedinto design groups of airplane integration, safety, system analysts, andregulatory authorities. In one embodiment, each group may focus on aparticular system or set of systems which fall within the expertise ofmembers of the groups. In other embodiments, a single user may enter anddefine some or all of the malfunctions via the client. The server mayreceive the defined malfunctions in a batch, at predetermined updatetimes, or in real time as the malfunctions are defined and entered byusers into the client.

In various embodiments, the users of clients may be assigned permissionlevels, and only users of a certain permission level may entermalfunction cases, block 202. The collaborative tool, or a separateprocess of the server, may determine if a user of a client has logged onwith an appropriate permission level before accepting the malfunctioncases from the client. In some embodiments, where the tool is a webapplication and the client is a web browser, the tool may first providethe client with a login/authentication web page, of the sort often usedin the art, and may provide the client with a web page allowing theentry of malfunction cases only when the tool has ascertained that theuser of the client has the proper permission level.

In some embodiments, any scheme of permission levels known in the artmay be used. For example, the tool may define roles of “ReadOnlyUser,”“ReadWriteUser,” “SystemFocal,” and “Admin.” A “ReadOnlyUser” may onlyview the malfunctions, effects, and their relationships, but may notenter or modify them. A “ReadWriteUser” has the privileges of a“ReadOnlyUser” and may also enter direct and indirect effects of certainmalfunctions, and may also enter associated flight deck messages andcompensatory flight crew/pilot actions that may be taken in the eventthe malfunction occurs. The user may then only modify and/or delete thedata that he or she has entered. A “SystemFocal” user has the privilegesof a “ReadWriteUser,” and may also enter, update, and delete malfunctioncases for one or more systems. An “Admin” user may have completepermissions to view, enter, update, and delete malfunctions, effects,and associated data.

In alternate embodiments, malfunction cases may be received directly bythe server from the malfunctioning system, block 202. The system may beequipped with a sensor or embedded system capable of transmitting asignal in the event of a system malfunctions or fails. Upon sensing amalfunction, the sensor or embedded system may immediately alert theserver, in real time. The signal sent may be of any sort known in theart, such as a radio frequency (RF) signal or a light signal. Suchsensors, embedded devices, and signals are well known in the art, andneed not be described further.

As illustrated, the server may also receive direct effects, block 204,and indirect effects, block 206, of malfunction cases from clients,entered by users of clients. A direct effect may be any primary effectresulting directly from a system malfunction. An indirect effect may beany secondary, tertiary, and so on, effect resulting indirectly from asystem malfunction and directly from a direct effect or from anotherindirect effect. Thus, users may enter effects and their propagation,indicating for each entered effect which malfunction, direct effect, orindirect effect the newly entered effect may result from. For example,the electric bus malfunction mentioned above may have a number of directeffects, such as hydraulic effects, navigational effects, and avionicseffects. The hydraulic effect may be associated with an indirect effect,such as a flight control effect, and the indirect flight control effectmay be associated with a further indirect effect, such as an air framevibration effect. In some embodiments, an effect may be associated witha combination of malfunction cases, other effects, or combinations ofboth, only occurring when the combination occurs. Thus, for example, acertain direct effect may occur only when two malfunctions occur, or acertain indirect effect may occur only when two direct effects and/orindirect effects occur. Further, in various embodiments, when a directeffect has been entered for one malfunction, and is then entered againfor a second malfunction, the tool may map the indirect effect(s)associated with that direct affect to the second entry of the directeffect, removing the need to reenter the same data.

In some embodiments, the effects are entered by the same groups of usersthat have entered the malfunction cases. In other embodiments, theeffects are entered by additional teams of system analysts. As mentionedabove, only users with a certain permission level may enter the variouseffects. For example, the tool may require that a user be a“ReadWriteUser,” a “SystemFocal” user, or an “Admin” user to entereffects of malfunctions. In some embodiments, the malfunctions, directeffects, and indirect effects are entered in iterative cycles, with thetool notifying users through clients or through email when a newmalfunction or effect has been entered, necessitating the users' reviewand the entry of additional levels of direct and indirect effects. Thus,after entering one level on indirect effects associated with directeffects, a user may be prompted by the collaborative tool method toenter another level of indirect effects, block 208, and the user may ormay not elect to enter the additional level of indirect effects.Further, in addition to entering direct and indirect effects, users mayalso enter flight deck messages and compensatory pilot/flight crewactions associated with a malfunction case, and occurrence probabilitiesand hazard levels for each effect, similar to the probabilities andhazard levels described above in reference to malfunction cases.

In an alternate embodiment, the server may only receive signalsindicating malfunctions from system, rather than receiving malfunctioncases and effects entered by users. The systems experiencing amalfunction or an effect of a malfunction (manifesting itself as asecondary or tertiary malfunction) may alert the server of themalfunctions in the manner described above. The tool of the server maythen deduce which received signals indicate malfunctions, which indicatedirect effects, and which indicate indirect effects either from the timeof signal arrival or from a pre-determined airplane schematic indicatingsystem relationships. In some embodiments, such airplane designschematics may be stored in a system design database that may beaccessible by the server. In such embodiments, each system may have aunique signal, thus allowing the tool to determine the systemexperiencing the malfunction or effect.

Referring again to FIG. 2, the collaborative tool method may store thereceived malfunction cases, effects, and other additional information(comprising system malfunction effects data) in a database, block 210.The database may be any sort of database known in the art, including arelational database possessing a plurality of tables connected by datarelationships. Each malfunction and effect may be stored in a table,with the relationships between the tables corresponding to therelationships between the malfunctions, direct effects, and indirecteffects. Flight deck messages and compensatory actions of the kinddescribed above may be stored in their own tables or may be stored asfields of malfunction or effect tables for the malfunction or effect towhich the messages and actions are related. Additionally, the abovetables may include fields for probabilities and hazard levels. Inalternate embodiments, the tool may store the system malfunction effectsdata in structures of a file rather than in the database.

As shown, once the collaborative tool method has received and stored thesystem malfunction effects data, the method may facilitate users inviewing the data through the clients, block 212. A user requesting toview one or more malfunctions and their direct and indirect effects, mayhave the content comprising the requested malfunctions and effectspresented in a relational fashion, illustrating the associations betweeneach malfunction and its one or more direct effects, between each directeffect and its possible one or more indirect effects, and in someembodiments, between each indirect effect and its further one or moreindirect effects. The content may be presented in a graphic treestructure on a web page created by the tool, and the web pageillustrating content may be sent to the client, and displayed on theclient to the user. Thus, the user may view a graphic web pagedisplaying malfunctions and their associated effects, with the effectpropagation illustrated by a tree structure or some similar graphicrepresentation. In other embodiments, displayed content may also includeflight deck messages and compensatory actions, and may include themessages and actions as part of the web page graphic display generatedby the tool. In yet other embodiments, the web page provided to theclient may be and interactive web page, facilitating a user in viewingprobabilities and hazard levels associated with a malfunction or effectby returning an additional web page displaying such content in responseto a user click on a malfunction or effect on the interactive webpagecreated by the tool. In addition to the above described design groups,pilots and other airline personnel may also view the system malfunctioneffects data. Such users might be assigned a permission level of“ReadOnlyUser.”

In various embodiments, the web page generated by the collaborative toolmethod may also facilitate a user in modifying malfunctions, effects, orassociated data, block 214. The ability of a user to modify or deleteany portion of the data may be controlled by a permission level of theuser, as discussed above, with some users only able to edit or deleteeffects of a certain malfunction, some users able to do that, and inaddition edit and delete certain malfunctions, and some users able toedit and delete any portion of the system malfunction effects data. Suchmodifications may be achieved by providing users with interactive webpage elements for those elements the user is able to modify. Forexample, a web page for a certain user might have interactive effectboxes displayed as part of the web page. The user might either be ableto change information displayed in the boxes or delete the boxes. Suchinteractivity may be achieved by client and/or server side scripting.This sort of scripting is well known in the art, and need not bedescribed further. Additionally, if a user deletes an effect, anyindirect effects associated only with that effect may also beautomatically deleted. The user's manipulations of the displayed datamay be communicated back to the server by the client, and stored by thetool.

In some embodiments, the collaborative tool method may also generatereports capable of use in an airplane design certification process,block 216. The tool may provide a web page to a user of a client thatallows a client to select among and/or enter a number of parameters tocustomize the report generated by the tool.

Further, in some embodiments, the collaborative tool method mayrecommend changes to an airplane design, block 218. Design changerecommendations might be triggered by the result of a hazard level orlevels of one or more malfunctions and/or effects multiplied by theprobabilities of the malfunctions/effects exceeding a certain threshold.For example, hazard levels might be numerically represented, with a“one” indicating the lowest hazard level and a “five” indicating thehighest. A threshold metric triggering a design change recommendationmight be “three.” Thus, any malfunction or effect having a hazard levelof “five” and a probability of sixty percent or more would trigger adesign change recommendation. A design change recommendation might betriggered by a more complex formula as well, such as one measuring thenumber of levels of indirect effects and/or considering theprobabilities of occurrence of the effects in the case of a malfunction.Such a recommendation might result in a “halt” message being sent topersonnel and/or systems responsible for an airplane system supplychain. Alert emails notifying users of the design change recommendationmay also be sent to the design group or groups associated with themalfunction(s) and/or effect(s) triggering the recommendation.

FIG. 3 illustrates a collaborative, roles-based aspect of the presentinvention, in accordance with various embodiments. As described above inreference to FIGS. 1 and 2, a plurality of design groups 304 may beinvolved in entering malfunction cases and effects, block 302, which inturn may be received by a collaborative tool 308. In some embodiments,each design group 304 may have a particular area of expertise, and mayenter malfunctions and effects associated with that area of expertise.In alternate embodiments, sensors or embedded systems of systems 306 mayautomatically transmit signals to tool 308 in the event that a system306 malfunctions. The processes for entering and receiving malfunctionsand effects are described in greater detail above.

As is also shown, a plurality of design groups 312 may be involved inviewing and modifying the malfunction cases and effects, block 310. Insome embodiments, design groups 312 may be the same as design groups304. Again, each design group 312 may have a particular area ofexpertise, and may view and modify malfunctions and effects associatedwith that area of expertise. Additionally, pilots 314 and other airlinepersonnel may also view malfunctions, effects, and other associateddata, such as the above described compensatory actions. The processesfor viewing and modifying malfunctions and effects are described ingreater detail above.

FIG. 4 illustrates an exemplary relational database schema of thepresent invention, including a plurality of malfunction and effectstables, in accordance with various embodiments. As described above inreference to FIGS. 1 and 2, the tables may store malfunction and effectdata, with the associations between the tables corresponding to theassociations between the malfunctions, the direct effects, and theindirect effects. Tables may also store flight deck messages andcompensatory actions for flight crews/pilots in the event a malfunctionoccurs. In other embodiments, however, the messages and actions may bestored as fields of the table storing the malfunction/effect themessage/action is associated with. Further, fields of the tables mayalso store occurrence probabilities and/or hazard levels for eachmalfunction/effect.

FIG. 5 illustrates an example computing device suitable for use topractice the present invention, in accordance with various embodiments.As shown, computing device 500 includes one or more processors 502, andsystem memory 504. Additionally, computing device 500 includes massstorage devices 506 (such as diskette, hard drive, CDROM and so forth),input/output devices 508 (such as keyboard, cursor control and so forth)and communication interfaces 510 (such as network interface cards,modems and so forth). The elements are coupled to each other via systembus 512, which represents one or more buses. In the case of multiplebuses, they are bridged by one or more bus bridges (not shown).

Each of these elements performs its conventional functions known in theart. In particular, system memory 504 and mass storage 506 may beemployed to store a working copy and a permanent copy of the programminginstructions implementing an embodiment of the present invention orselected aspects, here shown as computational logic 522. The programminginstructions may be implemented as assembler instructions supported byprocessor(s) 502 or high level languages, such as C, that can becompiled into such instructions.

The permanent copy of the programming instructions may be placed intopermanent storage 506 in the factory, or in the field, through e.g. adistribution medium (not shown) or through communication interface 510(from a distribution server (not shown)).

The constitution of these elements 502-512 are known, and accordinglywill not be further described.

Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of ordinary skill in the artthat a wide variety of alternate and/or equivalent implementations maybe substituted for the specific embodiments shown and described, withoutdeparting from the scope of the present invention. Those with skill inthe art will readily appreciate that the present invention may beimplemented in a very wide variety of embodiments or extended therefrom. For example, in various embodiments, the system may also beextended to provide confidence metrics for the predictions. Thisapplication is intended to cover any adaptations or variations of theembodiments discussed herein. Therefore, it is manifestly intended thatthis invention be limited only by the claims and the equivalentsthereof.

1. A method comprising: receiving system malfunction effects dataincluding at least one malfunction and a plurality of direct andindirect effects associated with each of the at least one malfunction;storing the received system malfunction effects data; and facilitating auser in viewing and/or modifying the system malfunction effects data,and the viewing includes presenting the data in a relational fashion,with each malfunction linked to one or more direct effects, and eachdirect effect linked to one or more indirect effects.
 2. The method ofclaim 1, wherein the system malfunction effects data comprise airplanelevel failure effects propagation data.
 3. The method of claim 1,wherein said facilitating of a user in viewing and/or modifying thesystem malfunction effects data further comprises facilitating a user inviewing and/or modifying only a portion of the data that the user isallowed to view and/or modify based a permission level associated withthe user.
 4. The method of claim 1, wherein at least one of amalfunction, a direct effect, and an indirect effect is associated witha numerical probability.
 5. The method of claim 1, wherein a directeffect is associated with a combination of malfunctions, only occurringwhen the combination occurs, and an indirect effect is associated with acombination of direct effects.
 6. The method of claim 1, furthercomprising mapping one or more indirect effects associated with a directeffect to a new malfunction, when the direct effect is associated withthe new malfunction.
 7. The method of claim 1, further comprisingrecommending a design change based at least on the system malfunctioneffects data.
 8. The method of claim 1, further comprising preparing areport of the system malfunction effects data, for use in acertification process.
 9. An apparatus comprising: a processor; and acollaborative tool operated by the processor to receive systemmalfunction effects data including at least one malfunction and aplurality of direct and indirect effects associated with each of the atleast one malfunction; store the received system malfunction effectsdata; and facilitate a user in viewing and/or modifying the systemmalfunction effects data, and the viewing includes presenting the datain a relational fashion, with each malfunction linked to one or moredirect effects, and each direct effect linked to one or more indirecteffects.
 10. The apparatus of claim 9, wherein the collaborative tool isfurther operated by the processor to receive the system malfunctioneffects data, and the receiving further comprises receiving at least apart of the system malfunction effects data automatically from one ormore affected systems.
 11. The apparatus of claim 9, wherein thecollaborative tool is further operated by the processor to store thesystem malfunction effects data, and the storing comprises storing thedata in a relational database.
 12. The apparatus of claim 9, wherein thesystem malfunction effects data comprise airplane level failure effectspropagation data.
 13. The apparatus of claim 9, wherein thecollaborative tool is further operated by the processor to facilitate auser in viewing and/or modifying the system malfunction effects data,and the facilitating further comprises facilitating a user in viewingand/or modifying only a portion of the data that the user is allowed toview and/or modify based a permission level associated with the user.14. The apparatus of claim 9, wherein a direct effect is associated witha combination of malfunctions, only occurring when the combinationoccurs, and an indirect effect is associated with a combination ofdirect effects.
 15. The apparatus of claim 9, wherein the collaborativetool is further operated by the processor to recommend a design changebased at least on the system malfunction effects data.
 16. The apparatusof claim 9, wherein the collaborative tool is further operated by theprocessor to prepare a report of the system malfunction effects data,the report capable of use in a certification process.
 17. An article ofmanufacture comprising: a storage medium; and a plurality of programminginstructions stored in the storage medium, the plurality of programminginstructions adapted to program an apparatus to enable the apparatus toreceive system malfunction effects data including at least onemalfunction and a plurality of direct and indirect effects associatedwith each of the at least one malfunction; store the received systemmalfunction effects data; and facilitate a user in viewing and/ormodifying the system malfunction effects data, and the viewing includespresenting the data in a relational fashion, with each malfunctionlinked to one or more direct effects, and each direct effect linked toone or more indirect effects.
 18. The article of claim 17, wherein thesystem malfunction effects data comprise airplane level failure effectspropagation data.
 19. The article of claim 17, wherein the plurality ofprogramming instructions is further adapted to enable the apparatus tofacilitate a user in viewing and/or modifying the system malfunctioneffects data, and the facilitating further comprises facilitating a userin viewing and/or modifying only a portion of the data that the user isallowed to view and/or modify based a permission level associated withthe user.
 20. The article of claim 17, wherein the plurality ofprogramming instructions is further adapted to enable the apparatus toprepare a report of the system malfunction effects data, the reportcapable of use in a certification process.